Deny multiple password changing attempts
Summary
Passwords are not allowed to be changed more than once in the same day.
Description
By limiting the frequency of password changes to once per day is implemented as a security policy that helps to balance usability and security considerations.
References
- CWE-620. Unverified password change
- CWE-640. Weak password recovery mechanism for forgotten password
- OWASP10-A7. Identification and authentication failures
- MITRE-M1027. Password policies
- MITRE-M1036. Account use policies
- CMMC-AC_L2-3_1_8. Unsuccessful logon attempts
- CMMC-IA_L2-3_5_7. Password complexity
- HITRUST-01_d. User password management
- FEDRAMP-IA-5_1. Authenticator management - Password-based authentication
- IEC62443-IAC-1_11. Unsuccessful login attempts
- OWASPSCP-3. Authentication and password management
- SIGLITE-SL_72. Is there a password policy for systems that transmit, process or store data that has been approved by management on all platforms?
- ASVS-2_6_1. Look-up secret verifier
- OWASPAPI-API8. Security Misconfiguration
- CASA-2_6_1. Look-up Secret Verifier
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.